AN1629: Analytic 1629
Detects abuse of busybox commands (e.g., `touch`) or log timestamp tampering during backdoor persistence or evasion.
Analyst context for executives and security teams
This analytic matters because ESXi hosts often sit underneath critical business services, and abuse of built-in BusyBox utilities or log timestamp manipulation can weaken incident visibility during persistence or evasion activity. For leaders, the decision point is whether virtualization infrastructure logging is trustworthy enough to support containment, recovery, and audit timelines when host-level tampering is suspected.
Executive priority
Prioritize validation of ESXi host monitoring and log integrity. If an attacker can alter timestamps or use native commands in ways that blend into administration, incident responders may lose confidence in when activity occurred, which systems were affected, and whether recovery decisions are based on complete evidence. This is most relevant to resilience planning, privileged administration governance, and compliance evidence for critical virtualization platforms.
Technical view
For SOC and IR teams, use this analytic as a prompt to validate detection around ESXi BusyBox command usage, especially commands such as `touch`, and evidence of log timestamp tampering. Because the ATT&CK object does not provide a detection rule, teams should map local ESXi audit, shell, file metadata, and log collection capabilities to the behavior described. Focus on whether suspicious timestamp changes, unexpected file modification patterns, or unusual administrative command execution can be correlated with privileged access activity on ESXi hosts.
Likely telemetry
- ESXi host logs and shell/command execution evidence where available
- File metadata showing creation, modification, or access timestamp changes
- Log file modification evidence and log collection timestamps
- Privileged administrator session records for ESXi management access
- Centralized log forwarding or SIEM ingestion records that can show gaps, delays, or inconsistencies
Detection direction
- Validate whether ESXi telemetry can show BusyBox command usage or equivalent host-level command execution; many environments have limited host command visibility.
- Look for suspicious timestamp changes on logs or persistence-related files, especially where file metadata conflicts with centralized collection times or expected administrative activity.
- Correlate potential tampering with privileged login/session records to reduce false positives from legitimate maintenance.
- Tune carefully for legitimate use of commands such as `touch`; the command alone is not sufficient without context such as target path, timing, user, and surrounding activity.
- Assess blind spots where ESXi logs are stored only locally, are not forwarded promptly, or can be altered before collection.
Mitigation priorities
- Ensure ESXi logs are centrally collected and protected from host-local tampering where feasible.
- Restrict and monitor privileged administrative access to ESXi hosts.
- Establish baselines for expected maintenance activity and command usage on virtualization hosts.
- Include log integrity and timestamp validation in ESXi incident response playbooks.
- Use this analytic to drive control testing rather than assuming coverage, because no official detection logic is supplied.
Analyst notes and limits
This is an ATT&CK detection analytic for ESXi describing abuse of BusyBox commands, such as `touch`, or log timestamp tampering during backdoor persistence or evasion. No ATT&CK tactics, relationships, or detailed detection logic were supplied, so the practical value is in validating telemetry, log integrity, and privileged administration monitoring around ESXi hosts.
The source object provides a short description only and no official detection implementation, tactic mapping, related techniques, adversary relationships, or evidence of active exploitation. Local ESXi configuration, logging depth, and administrative practices are required to determine coverage and priority.
Analytic 1629
Detects abuse of busybox commands (e.g., `touch`) or log timestamp tampering during backdoor persistence or evasion.
How security teams should use this page
Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.
All related ATT&CK context
No relationships are available in the current normalized data for this object.
Object version and sync metadata
The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .
Imported snapshots across ATT&CK releases (1)
| Release | Bundle imported | Object version | Modified | Status | Raw hash |
|---|---|---|---|---|---|
| 19.1 | 1.0 | Current bundle | b5062239c1dd… |
Mirrored ATT&CK source object
The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.
External references and citations
MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.
-
[1]
mitre-attack AN1629Open source URL
Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.